Friday Aug 23, 2013

As
organized cyber-attacks become sophisticated and targeted, organizations,
particularly those in the financial and health sectors, have come under strict
regulations. The growing security risks
from internal and external sources have brought focus on both preventive and
detective controls working together to protect data. In this edition of the
Oracle IAM blog series, we will take a look at how an organization can leverage
Oracle’s Identity and Access Management technologies in conjunction with
Oracle’s database security offerings.

Challenge

Traditionally,
encryption has been considered as the required approach to protect information.
However, complex information systems have led to implementation of a
defense-in-depth approach to database security that includes stronger
preventive and detective controls. In addition to encryption, preventive
measures should also include restricting access to data within the
organization. Compliance requirements on the other hand, have driven adoption
of detective controls such as database activity monitoring and auditing.
Detective controls complement preventive controls by filtering attempts to
connect to the information system, generating activity reports, and help
investigations of potential breaches.

A
common concern identified in several organizations is the lack of insight about
the access users have. This usually stems from multiple points to manually
create users and ad-hoc processes, such as a phone call, to grant access to
applications. By relying on incoherent manual processes to provide, monitor and
audit user access, the organization risks drastic implications on the privacy
and integrity of their information. Deloitte approaches this problem by
leveraging solutions like Oracle’s IAM stack to pro-actively restrict database
access by defining user profiles and centrally managing user life cycle. This,
coupled with preventive and detective controls, can offer a holistic approach
to securing information.

Separation of Duties

Separation
of duties is an important component to managing user access because it
separates the responsibility of sensitive tasks into multiple people, so that
no one person has all power. Oracle Database Vault, an add-on to Oracle
database, protects against insider threats by restricting read/write access to
sensitive data. For example, an administrator can be allowed to increase or
decrease the size of a table, but given the role, they will be denied
read/write access to the contents of the table. By securing access to the data
based on multi-factor policies such as application, IP address, and other
pre-determined factors, organizations have granular control over what, when,
where, and how users can access sensitive data.

Deloitte’s
strategy lets the client manage access to its data layer by separating approach
vectors, such as internal or external clients, or type of access such as web
and mobile applications. Oracle Access Manager helps to control user’s access
to web applications, and Oracle Entitlement Server allows administrators to
control what a user can see within an application.

Preventive Controls

The
first step in this direction is to have a least-privilege approach to endeavor
to provide that each user has a base profile giving them minimum access to the
database. These profiles can be configured through Oracle Identity Manager
(OIM). If a user’s business function requires elevated access, it can be
requested. Requests access can be made through a central portal and provisioned
automatically through OIM. The requirement for approvals adds a layer of
control for the client over what a user can view or modify.

In
order to have granular access control, the information stored within the database
should be ranked based on sensitivity; this can be achieved by deploying Oracle
Label Security (OLS). With OLS in place, only the users with read/write access
to sensitive information will be able to interact with the data. By comparing a
user’s profile and the level assigned to the data, level based access to data
is determined. These data ranks are defined according to the organization’s
requirements with the highest level assigned to the most sensitive information.
Adding finer security controls, data is put in “compartments” that can have their
own levels. For example, the financial compartment can have the highest level
ranking.

Detective Controls

As
mentioned above, Oracle Database Vault provides security by preventing access.
There is a lot that can be done to secure information above the data level. Database
defense-in-depth also includes database activity monitoring and auditing. Oracle
Audit Vault and Database Firewall monitor database traffic to detect and block
threats. The tools help improve compliance reporting by consolidating audit
data from databases, operating systems, directories, and other sources. The
following illustration shows how the two can work together:

Logs
from the Database Firewall and other systems in the network, can be fed into the
Audit Vault. Then, custom and template-driven database activity reports can be
generated to help address compliance and regulations.

Conclusion

Deloitte
suggests organizations establish a database defense-in-depth strategy that
includes multiple layers of both preventive and detective security controls. By
logging the entire process of user account creation, granting access, changing
roles, and user account termination, the organization has a 360-degree approach
to access governance. Detective controls add valuable context for investigations
and provide a critical layer of security during a security breach incident. If network
firewalls are by-passed, or in the case of an insider threat, preventive controls
can offer a strong defense. Since these security controls are granular, they
can be effectively configured to limit employees to their day-to-day activities.
Identity and access management helps setup work flows for provisioning and defining
roles to limit access; this coupled with encryption, activity monitoring and
reporting, form a holistic defense-in-depth approach to security and compliance.